Article 1 In order to strengthen the personal information security management of postal users, protect the legitimate rights and interests of users, safeguard the postal communication and information security, and promote the healthy development of the postal industry, these Provisions are formulated in accordance with the People's Republic of China (PRC) Postal Law, the Provisions of the NPC Standing Committee Municipality on Strengthening the Protection of Network Information, the Measures for the Safety Supervision and Administration of Postal Industry and other laws, administrative regulations and relevant provisions.

Article 2 These Provisions shall apply to the activities involving the safety of users' personal information and related supervision and management in the operation and use of delivery services within the territory of People's Republic of China (PRC).

Article 3 The term "personal information of users of delivery services" as mentioned in these Provisions refers to the personal information of users in the process of using delivery services, including the name, address, ID number, telephone number, company name, delivery details, time and article details of senders (recipients).

Article 4 The supervision and management of information security of delivery users shall adhere to the principles of safety first, prevention first and comprehensive management to ensure the safety of users' personal information.

Article 5 The postal administration department of the State Council shall be responsible for the supervision and management of the information security of postal users throughout the country.

The postal administrations of provinces, autonomous regions and municipalities directly under the Central Government shall be responsible for the supervision and management of the information security of postal users within their respective administrative areas.

The postal administrations below the provincial level established in accordance with the provisions of the State Council are responsible for the supervision and management of the information security of users in the postal industry within their respective jurisdictions.

Postal administrations in the State Council, provinces, autonomous regions and municipalities directly under the Central Government and postal administrations below the provincial level are collectively referred to as postal administrations.

Article 6 Postal administrations shall cooperate with relevant departments to improve the information security guarantee mechanism for delivery users and safeguard the information security of delivery users.

Article 7 Postal enterprises, express delivery enterprises and their employees shall abide by the provisions of the State on information security management and these Regulations to prevent the information of delivery users from being leaked or lost.

Chapter II General Provisions

Article 8 Postal enterprises and express delivery enterprises shall establish and improve the information security systems and measures for delivery users, clarify the security responsibilities of various departments and posts within the enterprise, and strengthen the information security management and security responsibility assessment of delivery users.

Article 9 An enterprise engaged in express delivery business by way of franchise shall conclude a security clause for delivering user information in the franchise agreement, and clarify the franchisee and the franchisee's security responsibilities. When an information security accident happens to a franchisee, the franchisee shall bear corresponding security management responsibilities according to law.

Tenth postal enterprises and express delivery enterprises shall sign a confidentiality agreement with employees to send and receive user information, and clarify the confidentiality obligation and liability for breach of contract.

Eleventh postal enterprises and express delivery enterprises should organize employees to carry out training on the knowledge and skills related to the information security protection of delivery users, strengthen professional ethics education, and constantly improve employees' legal concept and sense of responsibility.

Twelfth postal enterprises and express delivery enterprises shall establish a complaint handling mechanism for the information security of delivery users, publish effective contact information, and accept and handle relevant complaints in a timely manner.

Article 13 Where postal enterprises and express delivery enterprises are entrusted by online shopping, TV shopping, mail order and other operators to provide delivery services, when signing an agreement with the entrusting party, they shall conclude information security clauses for delivery users, and specify the scope and mode of information use, information exchange security protection measures, information disclosure responsibility division and other contents.

Fourteenth postal enterprises and express delivery enterprises that entrust a third party to input and transmit user information shall confirm that they have the ability to ensure information security, and conclude information security clauses to clarify the division of responsibilities. Postal enterprises and express delivery enterprises shall bear corresponding responsibilities according to law if the information of delivery users is leaked or lost due to information security accidents of third parties.

Fifteenth postal enterprises, express delivery enterprises and their employees shall not provide any unit or individual with the information of delivery users without the explicit authorization of the law or the written consent of the users.

Article 16 The staff of public security organs, state security organs and procuratorial organs shall read and check the physical and electronic information files of the detailed list in accordance with the procedures prescribed by law, and postal enterprises and express delivery enterprises shall cooperate with each other and keep relevant information confidential.

Article 17 Postal enterprises and express delivery enterprises shall establish an emergency mechanism for the safety of delivering users' information. In case of sudden accidents of information security of delivery users, it shall immediately take remedial measures, report to the postal administration department in accordance with regulations, and cooperate with the investigation and handling work of the postal administration department and relevant departments, and shall not delay reporting, fail to report, make false reports or conceal them.

Chapter III Physical Information Security Management of Delivery List

Eighteenth postal enterprises and express delivery enterprises should strengthen the management of delivery schedule, register the issuance of blank delivery schedule, and track the number segment throughout the whole process to form a tracking record.

Article 19 Postal enterprises and express delivery enterprises shall strengthen the management of business places and processing places, prohibit irrelevant personnel from entering and leaving the places where mail (express mail) is processed and stored, prohibit irrelevant personnel from touching or reading mail (express mail), and prevent the physical information of delivery details (hereinafter referred to as physical information) from being leaked during processing.

Twentieth postal enterprises and express delivery enterprises should optimize the delivery process and reduce contact with physical information processing links and operators.

Twenty-first postal enterprises and express delivery enterprises should take effective technical measures to prevent the disclosure of physical information in the process of delivery.

Twenty-second postal enterprises and express delivery enterprises should be equipped with safety monitoring equipment that meets the national standards, and arrange personnel with special skills to carry out safety monitoring on the physical information processing in the process of receiving, mailing, sorting, transportation and delivery.

Twenty-third postal enterprises and express delivery enterprises shall establish and improve the management system of physical files of delivery details, implement centralized closed management, determine centralized storage places, recover and properly keep delivery details in time. The establishment and change of centralized storage places shall be reported to the local postal administrations in a timely manner.

Twenty-fourth postal enterprises and express delivery enterprises should set up a special person to manage the centralized storage place of detailed physical files, and take necessary safety protection measures to ensure the safety of storage.

Twenty-fifth postal enterprises and express delivery enterprises shall establish and strictly implement the inquiry management system of delivery details of physical files. When the internal personnel need to consult the files due to their work, they should ensure that the files are intact and properly registered, and they are not allowed to leave the storage place without authorization.

Twenty-sixth delivery details of the physical files should be kept in accordance with the relevant national standards. After the expiration of the storage period, the enterprise will carry out centralized destruction, make a good record of destruction, and it is strictly forbidden to throw it away or sell it.

Twenty-seventh postal enterprises and express delivery enterprises shall regularly check the physical information security, record the self-inspection, and eliminate the hidden dangers of information security found in the self-inspection in time.

Chapter IV Electronic Information Security Management of Delivery List

Twenty-eighth postal enterprises and express delivery enterprises shall, in accordance with state regulations, strengthen the safety management of information systems and network facilities related to the delivery of service user information.

Article 29 The network architecture of the information system of postal enterprises and express delivery enterprises shall conform to the national information security management regulations, reasonably divide the security areas, realize effective isolation between the security areas, and have the ability to prevent, monitor and block attacks and sabotage from internal and external networks.

Thirtieth postal enterprises and express delivery enterprises should be equipped with necessary anti-virus software and hardware to ensure that information systems and networks have the ability to prevent computer viruses, malicious codes from damaging information systems and networks, and avoid information leakage or tampering.

Article 31 When building information systems and networks, postal enterprises and express delivery enterprises should avoid using the default passwords and security parameters provided by information systems and network providers, adopt encryption measures for delivery user information transmitted through open public networks, and strictly examine and monitor remote access information systems and network equipment.

Article 32 When purchasing computer software, hardware products or technical services, postal enterprises and express delivery enterprises shall sign confidentiality agreements with suppliers to clarify their security responsibilities and their obligations to cooperate with postal administrations and relevant departments in investigating information security incidents.

Thirty-third postal enterprises and express delivery enterprises shall establish an internal audit system for information system security, carry out internal audits regularly, and rectify the problems found in time.

Thirty-fourth postal enterprises and express delivery enterprises should strengthen the authority management of information systems and networks, and allocate the minimum operating authority and the minimum accessible information scope to employees according to the principle of minimum authority and separation of authority.

Postal enterprises and express delivery enterprises should strengthen the management of information systems and databases, so that network managers only have the authority to maintain and optimize information systems, databases and networks. The maintenance operation of the network administrator must be authorized by the security administrator and monitored and audited by the security auditor.

Thirty-fifth postal enterprises and express delivery enterprises should strengthen the password management of information systems, use high-security password strategies, change passwords regularly, and prohibit the disclosure of passwords to irrelevant personnel.

Thirty-sixth postal enterprises and express delivery enterprises should strengthen the storage safety management of electronic information of delivery users, including:

(1) Use an independent physical area to store and transmit user information, and prohibit unauthorized personnel from entering or leaving the area;

(2) storing and transmitting user information in an encrypted way;

(three) to ensure the safe use, storage and disposal of computers, mobile devices and mobile storage media containing user information. Clear the person in charge of managing data storage equipment and media, establish a registration system for the use and borrowing of equipment and media, and restrict the use of equipment output interfaces. If the storage equipment and media are scrapped, the delivered user information data shall be deleted in time and the hardware shall be destroyed.

Article 37 Postal enterprises and express delivery enterprises shall strengthen the application security management of delivering user information, audit all operations of exporting, copying and destroying user personal information in batches, take anti-leakage measures, record the personnel, time, place and matters of operation, and conduct information security audit.

Thirty-eighth postal enterprises and express delivery enterprises should strengthen the information security audit of off-duty personnel, and delete or disable the system accounts of off-duty personnel in time.

Thirty-ninth postal enterprises and express delivery enterprises shall formulate technical specifications for the safe interconnection of information systems and market-related entities, conduct access review on information systems storing delivery service information, and conduct regular security risk assessment.

Chapter V Supervision and Administration

Article 40 Postal administrations shall perform the following duties according to law:

(a) to formulate policies, systems and related standards to ensure the information security of delivery users, and supervise their implementation;

(two) to supervise and guide postal enterprises and express delivery enterprises to implement the information security responsibility system, and to urge enterprises to strengthen the information security management of delivery users;

(3) Monitoring, early warning and emergency management of information security of delivery users;

(four) to supervise and guide postal enterprises and express delivery enterprises to carry out publicity, education and training on the information security of delivery users;

(five) to supervise and inspect the information security of postal enterprises and express delivery enterprises according to law;

(six) to organize or participate in the investigation of information security accidents of delivery users, and investigate and deal with violations of information security management regulations of delivery users according to law;

(seven) other duties as prescribed by laws, administrative regulations and rules.

Forty-first postal administrations should strengthen the publicity of postal users' information security management system and knowledge, strengthen the awareness of information security management of postal enterprises, express delivery enterprises and their employees, and improve users' awareness of personal information security protection.

Forty-second postal management departments should strengthen the monitoring and early warning of the safe operation of postal users' information, establish an information management system, and collect and analyze all kinds of information related to information security.

Postal administrations at lower levels shall promptly report the information security of postal users to postal administrations at the next higher level, and notify relevant departments such as industry and informatization, communication management, public security, national security, commerce, and industrial and commercial administration as needed.

Forty-third postal management departments should check the establishment and implementation of information security management systems of postal enterprises and express delivery enterprises, standardize the information security protection behavior of employees and prevent information security risks.

Article 44 Postal administrations shall investigate and deal with postal enterprises and express delivery enterprises that violate the regulations on the information security of delivery users and hinder or may hinder the information security of delivery users. If the illegal acts involve the management authority of other departments, the postal administration department shall, jointly with relevant departments, investigate and deal with the postal enterprises and express delivery enterprises involved.

Forty-fifth postal management departments should strengthen the supervision and inspection of postal enterprises, express delivery enterprises and their employees to abide by these provisions.

Forty-sixth postal enterprises and express delivery enterprises that refuse to cooperate with the supervision and inspection of the information security of delivery users shall be punished in accordance with the provisions of Article 77 of the Postal Law of People's Republic of China (PRC).

Forty-seventh postal enterprises, express delivery enterprises and their employees who have caused losses to users by leaking or delivering user information shall compensate them according to law.

Forty-eighth postal enterprises, express delivery enterprises and their employees who illegally provide delivery user information, which does not constitute a crime, shall be punished in accordance with the provisions of Article 76 of the Postal Law of People's Republic of China (PRC). If the case constitutes a crime, it shall be transferred to judicial organs for criminal responsibility.

Forty-ninth any unit or individual has the right to report acts in violation of these provisions to the postal administration department. After receiving the report, the postal administration department shall promptly handle it according to law.

Fiftieth postal administrations can inform postal enterprises and express delivery enterprises of their behaviors and information security incidents that violate the regulations on information security management of delivery users, as well as the handling of relevant responsible personnel in the industry. The above information can be announced to the public when necessary, except those involving state secrets, business secrets and personal privacy.

Article 51 Postal administrations and their staff members shall keep confidential the information of delivery users they know in the course of performing their duties, and shall not disclose, tamper with or damage it, or sell it or illegally provide it to others.

Article 52 Any staff member of the postal administration department who abuses his power, neglects his duty or engages in malpractices for personal gain in the supervision and management of postal users' information security shall be dealt with in accordance with the provisions of Article 55 of the Measures for the Supervision and Administration of Postal Industry Safety.